I would recommend that you drop a user like scott from your database unless you have a business reason to keep it. You may feel that this is a development environment and you want to give folks the freedom to look around at things they may not see in production. But, consider this...does your development environment parallel your production environment in the form of accounts that are present, location of data files, tablespace names,...giving someone this freedom to look around gives them an insight into your production system. This insight can end up giving a hacker a leg-up on breaking things. (Giving folks the ability to view the password column in the view dba_users will permit them to use password cracking software to obtain passwords for accounts like SYS and SYSTEM. Then the garage door is open to the house... Take a look at this article that is free on Oracle's Technet site for securing your database. It's informative and a good start to help secure your database. http://www.oracle.com/technology/pub/articles/project_lockdown/phase1.ht ml Bill ________________________________ From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Rumpi Gravenstein Sent: Tuesday, June 12, 2007 12:31 PM To: DennisCutshall@xxxxxxxxxxxxxxxxxx Cc: oracle-l@xxxxxxxxxxxxx Subject: Re: Sql Developer What a user can browse is more a reflection on the privileges you've given the user than insight into a tool's capabilities. In the case you've described, any user that can logon as Scott will be able to browse the same objects. What the tool is doing for you is shining some light on the privileges the Scott account has been granted. I would think that in a development setting this would be a good thing as many of the system objects should be helpful in the building of your applications. In production the privileges should be limited to what is needed. On 6/12/07, Dennis Cutshall <DennisCutshall@xxxxxxxxxxxxxxxxxx> wrote: Hi, We are looking at using Oracle's SQL Developer as a development tool. Does anyone have any experience with this product? If so, please pass on your findings. We are particularly concerned about security. We noticed that any user e.g. Scott, can look at many of the objects in SYS and SYSTEM. Is this a concern, or are those normally public? Dennis Dennis Cutshall Data Base Administrator University of North Dakota ITSS Phone: <chrome://skype_ff_toolbar_win/content/cb_transparent_l.gif> <chrome://skype_ff_toolbar_win/content/famfamfam/us.gif> <chrome://skype_ff_toolbar_win/content/space.gif> <chrome://skype_ff_toolbar_win/content/space.gif> <chrome://skype_ff_toolbar_win/content/arrow.gif> <chrome://skype_ff_toolbar_win/content/space.gif> <chrome://skype_ff_toolbar_win/content/space.gif> <chrome://skype_ff_toolbar_win/content/space.gif> <chrome://skype_ff_toolbar_win/content/space.gif> <chrome://skype_ff_toolbar_win/content/space.gif> <chrome://skype_ff_toolbar_win/content/space.gif> <chrome://skype_ff_toolbar_win/content/space.gif> (701) 777-4109 <chrome://skype_ff_toolbar_win/content/cb_transparent_r.gif> Fax: (701)777-3978 E-Mail: DennisCutshall@xxxxxxxxxxxxxxxxxx -- Rumpi Gravenstein